Wireless Network Security 14-814 Spring 2014 Patrick Tague Class #5 Jamming 2014 Patrick Tague 1
Travel to Pgh: Announcements I'll be on the other side of the camera on Feb 4 Let me know if you'd like to meet Feb to discuss project topics or anything else course related I'm available most of Monday Feb 3 and morning of Feb 4 Send me a few times that work for you 2014 Patrick Tague 2
Jamming the Party 2014 Patrick Tague 3
Jamming Conceptually, jamming is a physical layer denial-of-service attack that aims to prevent wireless communication between parties Alice Messages Mallory Interference Bob 2014 Patrick Tague 4
How Does Jamming Work? Sender Path Loss Interference Jamming + Noise Receiver Receiver can decode message if SINR τ Jamming decreases SINR, causes decoding failure and packet loss But, there are numerous ways to do this 2014 Patrick Tague 5
Generalized Jamming A jammer allocates energy/signal to diverse time, freq, etc. resources according to an attack strategy S Effect E(S) of the attack Cost C(S) of the attack Risk R(S) of being detected / punished Frequency With other metrics, an optimization emerges Time 2014 Patrick Tague 6
Jamming Strategies Time Domain time Link Traffic Pkt Pkt Pkt Pkt P Constant Random Periodic Reactive [Xu et al., 2006; Mpitziopoulos et al., 2009] 2014 Patrick Tague 7
Link Traffic Jamming Strategies Frequency Domain Ch. 1 Ch. 2 Ch. 3 Ch. k Broadband Single Ch. Single Sub-Ch. Multiple Sub-Ch. 2014 Patrick Tague 8
Jamming Attack Types Noise-based jamming (aka classical jamming ) Attacker raises the noise floor, causing low SNR for high BER/SER Signal-based jamming Attacker injects valid-looking signal to block others or occupy the channel/radio Packet-based jamming Attacker injects well-formed packets Protocol-based jamming Attacker leverages higher-layer protocol structure to improve attack in some way 2014 Patrick Tague 9
Common Misperceptions Jamming signals, like other wireless signals, reach/affect all receivers within a distance R Neither are circular, but they're sometimes modeled that way All receptions within jammer's range are blocked whenever the jammer is on Like typical communications, jamming success is not guaranteed Jamming strategies are static Nothing prevents a jammer from changing strategy, params, etc. in time or in response to network events 2014 Patrick Tague 10
How can we protect against jamming? 2014 Patrick Tague 11
Spread Spectrum Effect of narrow-band jamming is reduced due to wide-band signal expansion The same attack has less impact More attacker resources (bandwidth, power, or both) are required for the same impact More costly to get the same impact Easier to detect 2014 Patrick Tague 12
Overhead of Spread Spectrum Both FHSS and DSSS require synchronization using a shared secret If the jammer knows the secret, spread spectrum has no benefit Key management is required Previously unpaired devices may not be able to perform key mgmt steps while under attack 2014 Patrick Tague 13
What if I want to use spread spectrum to communicate with someone, but we don't yet share a key for sync? 2014 Patrick Tague 14
Secret key establishment in the presence of a jammer Dependency cycle Spread-spectrum (FHSS or DSSS) Shared secret key for synchronization How to break the cycle? Can we establish a shared key in the presence of a jammer without relying on a shared key? 2014 Patrick Tague 15
Uncoordinated Freq. Hopping [Strasser et al., S&P 2008] Basic idea of UFH: Sender hops randomly over a large set of channels Receiver hops randomly but more slowly Sender-receiver occasionally meet and exchange data Throughput is very low, but anti-jamming protection is equivalent to FHSS S: 12 2 3 23 5 65 8 32 14 7 19 52 11 41 58 8 62 t R: 1 5 36 11 28 t 2014 Patrick Tague 16
Key Agreement with UFH UFH can facilitate key agreement in the presence of jamming Need to exchange long key agreement message parts, e.g., for authenticated Diffie-Hellman protocol However, for anti-jamming protection, msg needs to be very short (~100s of bits), so key agreement msgs need to be highly fragmented Sender can transmit continual stream of msg fragments using UFH, receiver will eventually get all of them 2014 Patrick Tague 17
Fragmentation Threats Fragment jamming: Attacker can jam message fragments to try to prevent or delay key agreement Fragment insertion: Attacker can insert malicious message fragments generated using valid keys and/or reusing fragments Message modification: Attacker can attempt to flip message bits or replace fragments 2014 Patrick Tague 18
Linking Fragments Cryptographically link message fragments Instead of using a shared key for integrity checking, just use a simple hash function to link fragments to each other M := m S, sig(m S ) m i :=id i M i h i+1 h l := h(m 1 ), h i := h(m i+1 ) M 1 M 2 M 3 M l M 1 M 2 M l m 1 m 2 m l 2014 Patrick Tague 19
UFH Results Receiver gets a bunch of fragment links, some from a valid sender and some from attackers Full fragment cycles can be reconstructed into valid messages Any messages that fail signature verification, have an expired timestamp, or fail another check can be dropped Once a verifiable message is received, a key can be established for full-fledged spread spectrum or any other purpose 2014 Patrick Tague 20
But, there's a catch... Still need public keys validated by a CA 2014 Patrick Tague 21
Is spread spectrum enough? No. 2014 Patrick Tague 22
Why SS Isn't Enough Defeating jamming completely is impossible Mitigation instead of defense Make the attack more expensive Make the attack less effective Make the attack easier to detect Attacker can counter any mitigation strategy It's a cat and mouse game 2014 Patrick Tague 23
Ok, then how about detecting jamming attacks? 2014 Patrick Tague 24
Jamming Detection & Defense [Xu et al., IEEE Network 2006] Goal: detect and localize jamming attacks, then evade them or otherwise respond to them Challenge: distinguish between adversarial and natural behaviors (poor connectivity, battery depletion, congestion, node failure, etc.) Certain level of detection error is going to occur Appropriate for deployment in sensor networks Approach: coarse detection based on packet observation 2014 Patrick Tague 25
Basic Detection Statistics Received signal strength (RSSI) Jamming signal will affect RSSI measurements Very difficult to distinguish between jamming/natural Carrier sensing time Helps to detect jamming as MAC misbehavior Doesn't help for random or reactive cases Packet delivery ratio (PDR) Jamming significantly reduces PDR (to ~0) Robust to congestion, but other dynamics (node failure, outside comm range) also cause PDR 0 2014 Patrick Tague 26
Advanced Detection Combining multiple statistics in detection can help High PDR + High RSSI OK Low PDR + Low RSSI Poor connectivity Low PDR + High RSSI? Jamming attack 2014 Patrick Tague 27
Jammed Area Mapping Based on advanced detection technique, nodes can figure out when they are jammed At the boundary of the jammed area, nodes can get messages out to free nodes Free nodes can collaborate to perform boundary detection using location information 2014 Patrick Tague 28
Evading Jamming Nodes in the jammed region can evade the attack, either spectrally or spatially Spectral evasion => channel surfing to find open spectrum and talk with free nodes Spatial evasion => mobile retreat out of jammed area Need to compensate for mobile jammers ability to partition the network (see figure in paper) 2014 Patrick Tague 29
What about dynamic attack and defense strategies? 2014 Patrick Tague 30
Optimal Jamming & Detection [Li et al., Infocom 2007] Problem setup: each of the network and the jammer have control over random jamming and transmission probabilities Network parameter γ is probability each node will transmit in a time slot Attack parameter q is probability the jammer will transmit in a time slot Goal: choose γ* (resp. q*) to minimize (resp. maximize) detection delay + response time What does each player know about its opponent? 2014 Patrick Tague 31
Detection & Response Network nodes need time to collect and analyze information to make a detection decision e.g., use the Sequential Probability Ratio Test (SPRT) Relaying detection results to those who can take action also takes time, depending on: Deployment pattern/statistics Radio parameters (power, range, etc.) Effect of jamming on message relaying 2014 Patrick Tague 32
Opposing Optimizations Given information about the delay metrics, the opponents can both try to optimize: Attacker optimizes the jamming probability q to maximize the delay Defender optimizes the transmitting probability γ to minimize the delay If opponents don't know each others' parameters Attacker chooses q to max-min the delay Defender chooses γ to min-max the delay 2014 Patrick Tague 33
Adaptive Jamming [DeBruhl et al., MASS 2012] More generally, the attacker can observe the opponent and tweak a number of parameters to meet a specific goal 2014 Patrick Tague 34
10%-PDR Adaptive Jamming 2014 Patrick Tague 35
Jamming Games What if both the attacker and defender are freely adapting in response to each other? [DeBruhl & Tague, PMC 2014] 2014 Patrick Tague 36
Open Research Problems Since jamming introduces a seemingly eternal cat and mouse game, there's a lot of work to do Understanding / modeling / evaluating attacks Developing efficient / effective / practical mitigation strategies 2014 Patrick Tague 37
January 30: Physical Layer Security 2014 Patrick Tague 38